Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Purpose of Knowledge Article:

A guide to how to install the Google Authenticator on your mobile device and set up an MFA token in the Google Authenticator app.

Warning

If you use Google Authenticator on your personal or Lab-issued mobile device, Lab policy requires that the device must be configured to use a lock screen (PIN, pattern, fingerprint, etc.).

Resolution:

Note

These instructions must be followed on a computer so that the mobile device can be used to scan a barcode off of the computer's monitor. Try using Google Chrome in Incognito window mode or Firefox in Private window mode if you are having some trouble.

Deck of Cards
idInstall Google Authenticator
tabLocationleft
Card
labelInstall Google Authenticator and add MFA token on Android

Table of Contents
excludeTable of Contents

What is Token management/Authentication?

Security tokens are another method to authenticate the user to LBL's network. It provides an added level of security against unauthorized access. Token management will be used for those devices that use Active Directory, which includes Window-based machines and mobile phones.

What is the New Token Solution?

To better protect LBL's assets and intellectual property, we have continued to use a hardware and software approach to credential security. Hackers sometimes use keyloggers or packet sniffers to read a person's username and password. A proven way to protect against such attacks (but not guaranteed) is to use dynamic One-Time Passwords. Our implementation will be to continue to use software (Google Authenticator) and hardware (YubiKey) solutions.

What is Google Authenticator?

Google Authenticator is an software app that must be installed on your local device, typically your phone that can generate the OTP needed to log into LBL's systems. The token is valid for 30 seconds. A countdown timer is shown that can help you determine the expiration time. Should it expire, a new token is automatically generated, and this token is what should be used when you log in.

Image Removed

What is a YubiKey?

YubiKey is a hardware, OTP token generator that can also save a user's credentials. It is manufactured by Yubico and used by Facebook and Google. First, insert the YubiKey into a USB port on your computer before logging in. You may need to wait for the YubiKey to install the correct device drivers on first-use.To use this key during login into LBL's systems, enter your LBL username and password, and the YubiKey will insert the OTP into the appropriate field once you tap the gold contact. Then hit return. The "YubiKey 4" hard key is small (2" x 0.75") and can be carried on a key ring. The "YubiKey 4 Nano" is meant to be inserted into a computer's USB port. Each YubiKey is issued to a specific LBL user and registered by the IT department. You must know where your YubiKey because it is assigned specifically to you. Should you lose this device, you must report it to IT immediately.

Image Removed

What if I forget my YubiKey at home?

You can use Google Authenticator to log in instead.

What if I lose my YubiKey? 

 

 InstructionsView
1You will need to report the loss to IT Help Desk at x4357 or online, and wait for a new YubiKey to be assigned to you. 
2Go to the OTP Homepage, and click on "Lost (disable)" for that specfic YubiKey.Image Removed
3Click "Disable" to permanently disable the hard key.

Image Removed

How Do I Register My Devices for OTP?

Type the Authorization code
Deck of Cards
idInstallation
Card
defaulttrue
idYubiKey
labelYubiKey
titleYubiKey
 InstructionsView
1Go to the OTP Token Management webpage. Click the "Berkeley Lab login" button.Image Removed
2If your YubiKey is registered, you will see it listed on your OTP Homepage as "BerkeleyLabKey ".Image Removed
3In your first-use, insert your key into a USB slot on your computer. The required device drivers will automatically install.Image Removed
4OPTIONAL: You may resync your YubiKey by clicking on the "Resync" link. You will need your YubiKey handy.Image Removed
5

Insert the YubiKey into your computer, and while the cursor is on the "One-Time Password 1" field, tap the gold, circular "Y" symbol on the top of the YubiKey 4. A tap on the metal will generate an OTP key and auto-populate the field. Then, move the cursor to the second field, "One-Time Password 2" and press the gold, circular "Y" symbol on the top of the YubiKey 4. You will see an OTP key auto-populate the field.

Note, if you are using the YubiKey 4 Nano, then press the rounded front of the key protruding from the USB port instead of pressing the gold, circular "Y".

Then, click "Resync".

Image Removed
6OPTIONAL: On the OTP homepage, you may verify if the OTP is working by clicking on the "Test" link below your device's nickname.Image Removed
7With the YubiKey in the USB port, press on the YubiKey's gold, circular "Y" symbol or the rounded front-end to generate the OTP. Click "Test Now". If it is successful, you will see the message, SUCCESS! You can test again or click "Done".Image Removed
Card
idGoogle Authenticator
labelGoogle Authenticator
titleGoogle Authenticator
 InstructionsView
1

Go to the OTP Token Management webpage. Click the "Berkeley Lab login" button.

Image Removed
2
1

On your mobile device, find the Google Authenticator application in the Google Play Store.

Install and open the app.


no image

2On your mobile device, tap "Begin setup".

Image Added

3

On your mobile device, tap "Scan a barcode" and leave it here and go to your computer.

Tip

If you are missing a "Barcode Scanner", the app will prompt you to install a suggested app. Tap "Install" to install. After installation has completed, click "Scan a barcode" once more on Google Authenticator.

Image Added

4

On your computer, go to https://identity.lbl.gov/mfa to add a token and create a barcode.

You must generate a barcode at the above link to continue installation. This step must be done on a computer, as you will need to scan the barcode with your mobile device.

Click the "Add an LBL token" link.

Image Removed




Image Added
3
4a

Select the

authorization

method by which you can receive an authorization code.

The choices are

Select either:

  • Email: <personal email address on record>
  • SMS (text message): <personal phone number on record>

For this example, the SMS (text messaging) is used.

Click the "Start" button to receive a text or email with the authorization code.

Image Added

4b

Type the authorization code you received in your email or mobile device

Image Removed
4

Here is the text message with the Authorization Code sent to your mobile device.

Image Removed
5

into the "Enter Authorization Code" field on the computer and give the registered device a meaningful nickname in the "Token Name" field. We recommend including the month, year, and model to easily identify the device. Example: Jay's iPhone 11, August 2020

Click "Add Token." Note, there is a time limit that you must complete this step by.

If time has expired, "Cancel" and retrieve a re-issued token.

Image Modified

6
4c

You will see a

2-D barcode

QR code on the computer screen that you must scan with Google Authenticator on your mobile device.

If you have not done so, install the "Google Authenticator" app from the Google Play Store.Image Removed7To install the Google Authenticator app, please go to the Google Play Store on your phone. (This image is from a Samsung Galaxy 6S Android phone)Image Removed8Find the Google Authenticator application and install it. Then open the app.Image Removed9Tap "Begin setup".Image Removed10Then, tap "Scan a barcode" or "Enter provided key". In our example, we will scan a barcode.Image Removed11Google Authenticator will check if you have a barcode scanner installed. If a barcode scanner is missing, the app will prompt you to install a suggested app.Image Removed12Tap "Install" to the suggested ZXing's "Barcode Scanner" app. Your device may select another suitable barcode scanner (which would also be sufficient). After installation has completed, close the app.Image Removed13Run the Google Authenticator by choosing the "Authenticator" icon on your device's icon gallery. Tap "Scan a barcode", which is where you left off earlier.Image Removed14Aim your phone's camera at the 2-D barcode on the browser when the barcode scanner runs inside of Google Authenticator. You may need to slowly adjust the distance and angle of your phone to allow the camera to auto-focus and capture the barcode image. You will only have ONE CHANCE to scan this code.Image Removed15

If the barcode scan is successful, you will see the 6-digit OTP (One-Time-Password) on your device. This code is valid for 30-seconds only. You must enter the token when you log in with your username and password. If you happen to take longer than 30 seconds, then use the most current auto-generated OTP.

Note that there is a 30-second timer on screen.

Image Removed

Note

You only have ONE CHANCE to scan this code. Do not close this window until you have successfully scanned the code.

no image
5

If the barcode scan is successful, you will see the 6-digit OTP (One-Time-Password) on your mobile device.

This code is valid for 30-seconds only. As the time limit approaches, you may see the code turn red. If you cannot enter it immediately, then wait a few seconds until the next code appears.

Once you scanned the code, click on I have scan the code next to the QR code

Image Added

Card
labelInstall Google Authenticator and add MFA token on iOS Device

Click to expand the instruction you want to see:

Expand
title1. Install Google Authenticator
Excerpt
Show If
startDateTime2023-09-29T00:00:00
user[email protected]
HTML
<iframe src="https://drive.google.com/file/d/1fqXLWkOBLNz8SHwnlYhV_XIijAOo-zna/preview" width="640" height="480" allow="autoplay"></iframe>

1

On your iOS device (iPhone/iPad), open the App Store

Image Added

2

At the bottom, click the Search icon

Image Added

3

In the search field, type inGoogle Authenticator

Image Added

4

Click Search

5

In the result, click Get or the Image Added icon for Google Authenticator

Image Added

6

Once it is finished downloading. Click on Open and continue to 2. Setup MFA Token section of the instruction

Image Added

Expand
title2. Add an MFA token
Show If
startDateTime2023-09-29T00:00:00
user[email protected]
HTML
<iframe src="https://drive.google.com/file/d/17NI0adz46Ix7MX4Opxk5oze5yM40lSHL/preview" width="640" height="480" allow="autoplay"></iframe>

1

On a computer with internet access go to https://identity.lbl.gov/mfa. If you are prompted to log in with your Berkeley Lab Identity account, do so

no image

2

In the Multifactor Authentication (MFA) Management page,click Add an LBL token in the bottom left corner of the page

Image Added

3

Select your preferred Authorization Method that is available to you using the drop-down menu:

  • Email

  • SMS

  • StrongID

Be sure you have access to the Authorization Method you selected

Image Added

4

Click Start

5

Provide the Authorization Code you received from Step 3

Image Added

6

Type in a Token Name you would like to use. For example:

  • Pixel6

  • iphone12

  • Uranus

  • Pizza

Note: the name acts as an identifier for you to know which device is the token on

7

Click Add Token

8

A QR code will appear

Image Added

9

If you have not launched the Google Authenticator app, go ahead and launch the Google Authenticator app on your iPhone/iPad

Note: If you do not have the Google Authenticator app installed, see previous section, 1. Install Google Authenticator section

Image Added

10

Select Use Authenticator without an account

Image Added

11

Click the colorful plus icon at the bottom right or Get Started first then the colorful plus icon

Image Added

12

Select Scan a QR code to activate the camera

Note: you may be prompted to give Google Authenticator app permission to access your phone, follow the prompt to allow it

Image Added

13

Point the camera at the QR code, and make sure you adjust the camera so the QR code is within the green indicator box. It will automatically scan the QR code and the new token for Lawrence Berkeley National Laboratory with a 6-digit code will appear in your Google Authenticator app on your phone

Image Added

14

Click I have scanned the code

Image Added

15

On the Multifactor Authentication (MFA) Management page, you will see your new token listed

Image Added

16

You're done

no image

OPTIONAL: On the OTP homepage, you may verify if the
Card
labelTest Google Authenticator
1Go to https://identity.lbl.gov/mfa/ to verify if your
16Your OTP dashboard should show all of your devices from which you will log into LBL's systems that require an OTP (including the one you just entered). Registration is complete now.Image Removed
17
OTP is working by clicking on the "Test" link below your device's nickname.
Image Removed

Image Added

18
2

Enter the Google Authenticator's

time-sensitive

OTP from your device into the "One-Time Password" field and click "Test Now".

Note, once the time has expired, the token will be invalid.

Note

Only the newest OTP should be entered into the field for verification, expired codes will not work.

Image Modified

19
3

You should see a Success! You can test again or click "Done" message if successful.

If there is a problem, you may restart the registration or call the help desk at x4357.

Image Modified

21
Card
labelRemove a Token
Warning

Ensure you have another form of MFA setup before removing a token.

1

Go to https://identity.lbl.gov/mfa/ and identify the device that you want to permanently stop using.

Note

Ensure you have another form of OTP to use before removing your device. This does not remove the requirement for OTP on certain logins.

Image Added

2
20OPTIONAL: On the OTP dashboard, you may click on "Delete" if you decide to permanently stop using the device to access LBL assets that require an OTP.Image Removed
Click "Delete" to confirm the deletion.

Image Modified

22If you were using the Pledge application from Nordic Edge, you may uninstall it now.